Allow additional security groups to the load balancer

[mvn-bachhuynh-dn]

Hi guys,
I really happy when we have an options to limit IP to access dev env.

Because It only added in to the rule of a lister rule without delete default rule
You could see that in my screeshot

and here is my manifest.yml

name: copilot-test-svc
type: Load Balanced Web Service
http:
  path: '/'
  allowed_source_ips: ["10.24.34.0/23"]
image:
  build: Dockerfile
  port: 80

cpu: 256       # Number of CPU units for the task.
memory: 512    # Amount of memory in MiB used by the task.
count: 1       # Number of tasks that should be running in your service.
exec: true     # Enable running commands in your container.

network:
        vpc:
                placement: private

and as you may know, only 5 conditions are allowed

So, it seems this option is useless to me because I have more 5 IP to allow.

So, If copilot could allow attaching existed security group of ELB maybe more effective!

Thank you!

[mvn-bachhuynh-dn]

Thank you @efekarakus ,
Hope it will be updated soon.
Beside attaching existed security group of ELB,
Let find another way like as proactive configure it in manifest.yml to change the default security group rule of an ELB.

Thank you!

[efekarakus]

Let find another way like as proactive configure it in manifest.yml to change the default security group rule of an ELB.

Can you elaborate? Are you looking into modifying the following security group:

copilot-cli/templates/environment/versions/cf-v1.4.0.yml

Lines 70 to 87 in bb68802

	PublicLoadBalancerSecurityGroup:
	Metadata:
	'aws:copilot:description': 'A security group for your load balancer allowing HTTP and HTTPS traffic'
	Condition: CreateALB
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Access to the public facing load balancer
	SecurityGroupIngress:
	- CidrIp: 0.0.0.0/0
	Description: Allow from anyone on port 80
	FromPort: 80
	IpProtocol: tcp
	ToPort: 80
	- CidrIp: 0.0.0.0/0
	Description: Allow from anyone on port 443
	FromPort: 443
	IpProtocol: tcp
	ToPort: 443

What would you like to change?

[mvn-bachhuynh-dn]

Hi @efekarakus, yes it is!
I want copilot could modify CIDR default when creating by manifest.
Currently, the security group is allow any (0.0.0.0/0) port 80/443 to public ELB.
Some case like as building develop environments, I need to IP limits.
So I could proactively config my IP in manifest.

proposal:

elb:
   security_group:
      ingress:
          cidrip: ["IP1", ...,"IP10"]
          fromport: <Default getting from expose of dockerfile, or setting from copilot command>
          toport: <Default getting from expose of dockerfile, or setting from copilot command>

[efekarakus]

Another datapoint for this feature from Gitter:

Sure, I can. We use Cloudflare and we like to restrict access to ALBs so only Cloudflare will be able to send requests to them. for example, let's say "a.b.com" is the domain that we want to use for our app. "b.com" is managed by Cloudflare. so we will create a CNAME proxy DNS record in Cloudflare for the subdomain "a" to proxy requests to "a.aws.b.com". so "a.b.com" is managed by Cloudflare and "a.aws.b.com" is managed by Route53 (which will direct requests to ALB) and Copilot in this case. if we can't apply our custom SecurityGroup to "a.aws.b.com", it means that this domain will be exposed publicly and is vulnerable to many types of attacks that we could prevent by Cloudflare. Hope this helps.